Alaska Department of Health and Social Services Breach Impacted 87,000 More Patients Than Previously Thought

In April 2018, the Alaska Department of Health and Social Services (ADHSS) discovered that malware had been installed on a laptop computer. At the time, ADHSS thought the hackers were able to access 501 persons’ electronic protected health information (ePHI); however, on January 22, 2019, state officials claimed that the attackers potentially accessed the ePHI of 500,000 to 700,000 people as a result of the malware infection. Two days later, the number of breach victims was revised to 87,000 individuals, all of whom have now been sent breach notification letters.

The hackers used the Zeus/Zbot Trojan, which is an information stealer. This potentially allowed them to access the ePHI of patients who had previously had dealings with the Department of Public Assistance (DPA) through the DPA Northern regional offices.

The initial investigation revealed that the laptop had visited Russian web sites as a result of the malware infection and that the attackers had access to the device from April 26 to April 30, 2018. The malware was believed to have been installed inadvertently by an employee as a result of opening an infected email attachment. Once the malware had been installed, the attackers had full access to the laptop’s hard drive.

ADHSS investigated the incident and reported the breach to the Department of Health and Human Services’ Office for Civil Rights on June 28, 2018. Because of the large volume of data stored on the device, ADHSS sought the FBI’s assistance. The FBI performed an extensive analysis which took many months to complete. ADHSS was recently notified by the FBI that many more patients had been affected than was previously thought. The FBI investigation is continuing.